A company hosts an application on AWS. The application gives users the ability to upload photos and store the photos in an Amazon S3 bucket. The company wants to use Amazon CloudFront and a custom domain name to upload the photo files to the S3 bucket in the euwest- 1 Region. Which solution will meet these requirements? (Select TWO.)
A. Use AWS Certificate Manager (ACM) to create a public certificate in the us-east-1 Region. Use the certificate in CloudFront
B. Use AWS Certificate Manager (ACM) to create a public certificate in eu-west-1. Use the
certificate in CloudFront.
C. Configure Amazon S3 to allow uploads from CloudFront. Configure S3 Transfer Acceleration.
D. Configure Amazon S3 to allow uploads from CloudFront origin access control (OAC).
E. Configure Amazon S3 to allow uploads from CloudFront. Configure an Amazon S3 website endpoint.
How can DynamoDB data be made available for long-term analytics with minimal operational overhead?
A. Configure DynamoDB incremental exports to S3.
B. Configure DynamoDB Streams to write records to S3.
C. Configure EMR to copy DynamoDB data to S3.
D. Configure EMR to copy DynamoDB data to HDFS.
A company wants to publish a private website for its on-premises employees. The website consists of several HTML pages and image files. The website must be available only through HTTPS and must be available only to on-premises employees. A solutions architect plans to store the website files in an Amazon S3 bucket. Which solution will meet these requirements?
A. Create an S3 bucket policy to deny access when the source IP address is not the public
IP address of the on-premises environment Set up an Amazon Route 53 alias record to
point to the S3 bucket. Provide the alias record to the on-premises employees to grant the
employees access to the website.
B. Create an S3 access point to provide website access. Attach an access point policy to deny access when the source IP address is not the public IP address of the on-premises environment. Provide the S3 access point alias to the on-premises employees to grant the employees access to the website.
C. Create an Amazon CloudFront distribution that includes an origin access control (OAC) that is configured for the S3 bucket. Use AWS Certificate Manager for SSL. Use AWS WAF with an IP set rule that allows access for the on-premises IP address. Set up an Amazon Route 53 alias record to point to the CloudFront distribution.
D. Create an Amazon CloudFront distribution that includes an origin access control (OAC) that is configured for the S3 bucket. Create a CloudFront signed URL for the objects in the bucket. Set up an Amazon Route 53 alias record to point to the CloudFront distribution. Provide the signed URL to the on-premises employees to grant the employees access to the website.
A company has a large amount of data in an Amazon DynamoDB table. A large batch of data is appended to the table once each day. The company wants a solution that will make all the existing and future data in DynamoDB available for analytics on a long-term basis. Which solution meets these requirements with the LEAST operational overhead?
A. Configure DynamoDB incremental exports to Amazon S3.
B. Configure Amazon DynamoDB Streams to write records to Amazon S3.
C. Configure Amazon EMR to copy DynamoDB data to Amazon S3.
D. Configure Amazon EMR to copy DynamoDB data to Hadoop Distributed File System (HDFS).
A company is developing a public web application that needs to access multiple AWS services. The application will have hundreds of users who must log in to the application first before using the services. The company needs to implement a secure and scalable method to grant the web application temporary access to the AWS resources. Which solution will meet these requirements?
A. Create an IAM role for each AWS service that the application needs to access. Assign
the roles directly to the instances that the web application runs on.
B. Create an IAM role that has the access permissions the web application requires.
Configure the web application to use AWS Security Token Service (AWS STS) to assume
the IAM role. Use STS tokens to access the required AWS services.
C. Use AWS IAM Identity Center to create a user pool that includes the application users. Assign access credentials to the web application users. Use the credentials to access the required AWS services.
D. Create an IAM user that has programmatic access keys for the AWS services. Store the
access keys in AWS Systems Manager Parameter Store. Retrieve the access keys from
Parameter Store. Use the keys in the web application.
A company is migrating applications from an on-premises Microsoft Active Directory that the company manages to AWS. The company deploys the applications in multiple AWS accounts. The company uses AWS Organizations to manage the accounts centrally. The company's security team needs a single sign-on solution across all the company's AWS accounts. The company must continue to manage users and groups that are in the on-premises Active Directory Which solution will meet these requirements?
A. Create an Enterprise Edition Active Directory in AWS Directory Service for Microsoft
Active Directory. Configure the Active Directory to be the identity source for AWS 1AM
Identity Center
B. Enable AWS 1AM Identity Center. Configure a two-way forest trust relationship to connect the company's self-managed Active Directory with 1AM Identity Center by using AWS Directory Service for Microsoft Active Directory.
C. Use AWS Directory Service and create a two-way trust relationship with the company's self-managed Active Directory.
D. Deploy an identity provider (IdP) on Amazon EC2. Link the IdP as an identity source within AWS 1AM Identity Center.
A company is migrating applications from an on-premises Microsoft Active Directory that the company manages to AWS. The company deploys the applications in multiple AWS accounts. The company uses AWS Organizations to manage the accounts centrally. The company's security team needs a single sign-on solution across all the company's AWS accounts. The company must continue to manage users and groups that are in the on-premises Active Directory Which solution will meet these requirements?
A. Create an Enterprise Edition Active Directory in AWS Directory Service for Microsoft
Active Directory. Configure the Active Directory to be the identity source for AWS 1AM
Identity Center
B. Enable AWS 1AM Identity Center. Configure a two-way forest trust relationship to connect the company's self-managed Active Directory with 1AM Identity Center by using AWS Directory Service for Microsoft Active Directory.
C. Use AWS Directory Service and create a two-way trust relationship with the company's self-managed Active Directory.
D. Deploy an identity provider (IdP) on Amazon EC2. Link the IdP as an identity source within AWS 1AM Identity Center.
A company is implementing a new policy to enhance the security of its AWS environment. The policy requires all administrative actions that users perform on the AWS Management Console to be secured by multi-factor authentication (MFA). Which solution will allow the company to enforce this policy in the MOST operationally efficient way?
A. Enable MFA on the root account. Ensure that all administrators use the root account to
perform administrative actions.
B. Create an 1AM policy that requires MFA to be enabled for the 1AM roles that administrators assume to perform administrative actions.
C. Configure an Amazon CloudWatch alarm that sends an email notification when an administrator performs an administrative action without MFA.
D. Use AWS Config to periodically audit 1AM users and to automatically attach an 1AM policy that requires MFA when AWS Config detects administrative actions.
A company creates operations data and stores the data in an Amazon S3 bucket for the company's annual audit, an external consultant needs to access an annual report that is stored in the S3 bucket. The external consultant needs to access the report for 7 days. The company must implement a solution to allow the external consultant access to only the report. Which solution will meet these requirements with the MOST operational efficiency?
A. Create a new S3 bucket that is configured to host a public static website. Migrate the
operations data to the new S3 bucket. Share the S3 website URL with the external
consultant.
B. Enable public access to the S3 bucket for 7 days. Remove access to the S3 bucket when the external consultant completes the audit.
C. Create a new 1AM user that has access to the report in the S3 bucket. Provide the access keys to the external consultant. Revoke the access keys after 7 days.
D. Generate a presigned URL that has the required access to the location of the report on the S3 bucket. Share the presigned URL with the external consultant.
A solutions architect needs to implement a solution that can handle up to 5,000 messages per second. The solution must publish messages as events to multiple consumers. The messages are up to 500 KB in size. The message consumers need to have the ability to use multiple programming languages to consume the messages with minimal latency. The solution must retain published messages for more than 3 months. The solution must enforce strict ordering of the messages. Which solution will meet these requirements?
A. Publish messages to an Amazon Kinesis Data Streams data stream. Enable enhanced
fan-out. Ensure that consumers ingest the data stream by using dedicated throughput.
B. Publish messages to an Amazon Simple Notification Service (Amazon SNS) topic. Ensure that consumers use an Amazon Simple Queue Service (Amazon SQS) FIFO queue to subscribe to the topic.
C. Publish messages to Amazon EventBridge. Allow each consumer to create rules to deliver messages to the consumer's own target.
D. Publish messages to an Amazon Simple Notification Service (Amazon SNS) topic. Ensure that consumers use Amazon Data Firehose to subscribe to the topic.